Closed daxim closed 9 years ago
Details are available at http://www.forallsecure.com/bug-reports/79c31f70848a65002493a88828e05970c3e75c1a/. The input there is a bit more complicated than actually needed to trigger the crash. It boils down to a null byte on the command-line:
perl5i \000 -e
Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
(gdb) bt full
#0 __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
No locals.
#1 0x00007ffff7a99e9e in __GI__IO_fputs (str=str@entry=0x0, fp=fp@entry=0x603070) at iofputs.c:36
len = <optimized out>
result = <optimized out>
#2 0x0000000000400a17 in main (argc=3, argv=0x7fffffffd8c8) at bin/perl5i.c:76
tempfile = "/tmp/perl5i.xBStkm"
fd = <optimized out>
fh = 0x603070
i = 4
j = 3
perl_cmd = 0x400c88 "/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl"
perl_args = {0x400c88 "/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl",
0x603010 "-Mperl5i::cmd=/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl5i", 0x7fffffffde1e "000", 0x0}
dash_m = <optimized out>
program = 0x0
saw_dash_e = 1
perl5i.c line 76 is fprintf( fh, "%s", program );
, program is 0x0
.
I wrote bin/perl5i.c and I can tell you my C is horrible. Any help and patching or rewrite of that code would be appreciated.
On Thu, Jun 27, 2013 at 2:13 PM, Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯 notifications@github.comwrote:
Details are available at http://www.forallsecure.com/bug-reports/79c31f70848a65002493a88828e05970c3e75c1a/. The input there is a bit more complicated than actually needed to trigger the crash. It boils down to a null byte on the command-line:
perl5i \000 -e
Program received signal SIGSEGV, Segmentation fault. __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31 (gdb) bt full
0 __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
No locals.
1 0x00007ffff7a99e9e in GIIO_fputs (str=str@entry=0x0, fp=fp@entry=0x603070) at iofputs.c:36
len = <optimized out> result = <optimized out>
2 0x0000000000400a17 in main (argc=3, argv=0x7fffffffd8c8) at bin/perl5i.c:76
tempfile = "/tmp/perl5i.xBStkm" fd = <optimized out> fh = 0x603070 i = 4 j = 3 perl_cmd = 0x400c88 "/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl" perl_args = {0x400c88 "/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl", 0x603010 "-Mperl5i::cmd=/home/daxim/local/share/perlbrew/perls/perl-5.16.3/bin/perl5i", 0x7fffffffde1e "000", 0x0} dash_m = <optimized out> program = 0x0 saw_dash_e = 1
perl5i.c line 76 is fprintf( fh, "%s", program );, program is 0x0.
— Reply to this email directly or view it on GitHubhttps://github.com/schwern/perl5i/issues/269#issuecomment-20155376 .
Fixed by #273
thanks. yes, only mayhem brought me to this :)
Hi!
On Wed, Jul 23, 2014 at 12:38:56PM -0700, Reini Urban wrote:
thanks. yes, only mayhem brought me to this :)
Is this really fixed with new upstream version 2.13.0?
With the reproducer
$ perl5i \000 -e
still get a Segemntation fault.
(this is on Debian unstable, built 2.13.0, but had no further time to investigate).
Regards, Salvatore
I cannot reproduce this on OS X, fwiw, with either 2.12.0 or 2.13.0. perl -e 'system "perl5i \x{00} -e"'
acts equivalent to perl5i
(it waits for code on stdin).
perl -e 'system "perl5i \x{00} -e"'
seems not the correct way to reproduce it. I cannot reproduce it in Debian Testing (currently having 2.13.0) with that commandline, but I can reproduce it with perl5i \000 -e
and inside Perl's system()
with perl -e 'system("perl5i \\000 -e");'
I can reproduce it on Wheezy/Sid with Perl 5.20.1.
I have it. It was just perl5i -e
. It wouldn't check there was an argument after the -e, would read one too far on argv, and then try to printf that.
Security researchers have found crash bugs in perl5i as shipped in Debian Wheezy using Mayhem, an automated bug finding tool. http://lists.debian.org/debian-devel/2013/06/msg00720.html I have started communication with the Mayhem team in order to "short-circuit" the middle-men maintainers and get the details (the buggy command-line input, backtrace after crash, etc.) ASAP.
Is there any need to keep the details confidential until the underlying bugs are fixed? If not, I'll publish them just here.